Use of a VPN is always recommended when connecting your enterprise mobile devices directly to Exchange Server. Here are a few tips to ensure that your deployment is as secure as possible:

Always use SSL encryption (and authentication) for connections between the mail server and the mobile device. You should never allow sensitive corporate data to transit on the Internet unencrypted. If you do not encrypt the connection, your organization’s e-mail will transit the Internet in clear text which can easily be read an the intercepting person.

The Exchange ActiveSync protocols include a number of device security features that you can use to ensure that the data on each device is protected against loss and theft. All of these are best practices and should be implemented in accordance with your existing corporate security policies:

Password complexity policies can be set on the mobile device remotely when it connects to the mail server. For example, you can specify that a password have a minimum length and include a minimum number of alphanumeric characters.

You can set a device lock timer, meaning that once the device has been idle for a certain amount of time, the device will automatically lock, forcing the user to enter the password again in order to access it.

You can ensure that encryption on the device hard disk and removable media is enabled, ensuring that a phone that gets into the wrong hands does not contain easily readable data.

You can remotely wipe a device, either automatically, such as when there have been too many failed password attempts, or by administrative command if the device is lost or stolen.

Ensure that your Microsoft Exchange Server (or other e-mail server) is always properly patched and up to date.

Some vendor SSL VPNs allow your organization to proxy ActiveSync traffic without deploying any software onto the endpoint device. From a feature and user-experience perspective, this approach is no different from an approach where the end user connects directly to the mail server. On the other hand, the following benefits are associated with taking this proxy approach:

A VPN gateway is purpose-built to be hardened and secured. These types of devices are specifically built and designed to be accessible from the Internet. As such, they have typically gone through numerous security audits, are regularly patched and updated, and have built-in protections against attacks that are generally faced by Internet-facing devices.

VPN gateways support strong authentication. If your organization operates like a lot of others, you want to use strong authentication, such as one-time passwords or X.509 digital certificates, to identify users connecting to your network. VPN gateways support this functionality natively, so there is no need to provide alternate authentication mechanisms for your mobile device deployment.

The VPN approach allows you to standardize on a single platform for all of your remote access needs. Because you are likely already using this type of gateway for access from traditional devices, you can ensure that all remote access into your network leverages a single termination point, simultaneously simplifying operations and reducing the number of devices you have exposed to the Internet.

Leveraging a VPN gateway today allows you to expand your scope as you support additional mobile device applications. Because these devices support the ability to provide access to several different types of applications — as your mobile device deployment grows in size and becomes more strategic — you can include additional applications with the initial VPN gateway without swapping out or providing additional termination points in the future.